Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBI’s Internet Crime Complaint Center (IC3).
The IC3 report released Thursday correctly identifies some of the most prevalent and insidious forms of cybercrimes today, but the total financial losses tied to each crime type also underscore how infrequently victims actually report such crimes to law enforcement.
For example, the IC3 said it received 17,146 extortion-related complaints, with an adjusted financial loss totaling just over $15 million. In that category, the report identified 2,673 complaints identified as ransomware — malicious software that scrambles a victim’s most important files and holds them hostage unless and until the victim pays a ransom (usually in a virtual currency like Bitcoin).
According to the IC3, the losses associated with those ransomware complaints totaled slightly more than $2.4 million. Writing for BleepingComputer.com — a tech support forum I’ve long recommended that helps countless ransomware victims — Catalin Cimpanu observes that the FBI’s ransomware numbers “are ridiculously small compared to what happens in the real world, where ransomware is one of today’s most prevalent cyber-threats.”
“The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities,” Cimpanu writes.
It’s difficult to know how what percentage of ransomware victims paid the ransom or were able to restore from backups, but one thing is for sure: Relatively few victims are reporting cyber fraud to federal investigators.
The report notes that only an estimated 15 percent of the nation’s fraud victims report their crimes to law enforcement. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion.
If that 15 percent estimate is close to accurate, that means the real cost of cyber fraud for Americans last year was probably closer to $9 billion, and the losses from ransomware attacks upwards of $16 million.
The IC3 reports that last year it received slightly more than 12,000 complaints about CEO fraud attacks — e-mail scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster. The fraud-fighting agency said losses from CEO fraud (also known as the “business email compromise” or BEC scam) totaled more than $360 million.
Applying that same 15 percent rule, that brings the likely actual losses from CEO fraud schemes to around $2.4 billion last year.
Some 10,850 businesses and consumers reported being targeted by tech support scams last year, with the total reported loss at around $7.8 million. Perhaps unsurprisingly, the IC3 report observed that victims in older age groups reported the highest losses.
Many other, more established types of Internet crimes — such as romance scams and advanced fee fraud — earned top rankings in the report. Check out the full report here (PDF). The FBI urges all victims of computer crimes to report the incidents at IC3.gov. The IC3 unit is part of the FBI’s Cyber Operations Section, and it uses the reports to compile and refer cases for investigation and prosecution.